OneSignalUserDefaults uses NSKeyedUnarchiver method flagged as unsafe

**Description:**

The class `OneSignalUserDefaults` relies on a deprecated method of `NSKeyedUnarchiver`, [`+ unarchiveObjectWithData:`](https://developer.apple.com/documentation/foundation/nskeyedunarchiver/1413894-unarchiveobjectwithdata?language=objc), which has been deemed unsafe. This was called out by submitting our application code, including the OneSignal iOS SDK, to a scanning service. For reference, the report includes a callout to [CVE-676](http://cwe.mitre.org/data/definitions/676.html) with respect to this case.

Apple's recommendation is to use [`+unarchivedObjectOfClass:fromData:error:`](https://developer.apple.com/documentation/foundation/nskeyedunarchiver/2962884-unarchivedobjectofclass?language=objc), introduced in iOS 11.0. The practicality of this change is not currently clear without further review of the code and some experimentation.

**Environment**
1. SDK version 3.2.1
2. Added to project using Carthage
3. Xcode 12
4. App targeting iOS 12.0 and newer

**Steps to Reproduce Issue:**
N/A

**Anything else:**
I can work on devising a way to use `+unarchivedObjectOfClass:fromData:error:` when running on iOS 11.0 or newer, but it would help to know if there are any design requirements of `OneSignalUserDefaults` that should be kept in mind.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OneSignalUserDefaults uses NSKeyedUnarchiver method flagged as unsafe #919

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OneSignalUserDefaults uses NSKeyedUnarchiver method flagged as unsafe #919

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions